Ideas

Stuff I have been thinking about. General Linux stuff, personal stuff, Arch Linux stuff.

Extend kernel PCR with cmdline

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f046fff8bc4c

The kernel doesn't checksum the cmdline which would be practical when we are already doing the vmlinuz image

efibootctl

Rewrite efibootmgr in go with go-uefi and improve usability.

pacman-ostree

Move pacman DbPath to /usr. https://lwn.net/Articles/881107/

mkinitcpio

Implement .d directory overrides to hooks. We want to consolidate the hooks from several packages.

Kernel module signing

Just generally; how do we solve this without getting tied to a MOK?

Archweb nvchecker integration

Consider nvchecker; https://github.com/lilydjwg/nvchecker

All repositories can have a .NVCHECKER file like below;

[go]
source = "github"
github = "golang/go"
prefix = "go"
use_max_tag = true
exclude_regex = ".*(release|weekly|rc|alpha|beta).*"

The top part would be $pkgbase and rest of the configuration follows the nvchecker documentation.

The implementaiton for archweb would be a timer running "python manage.py nvchecker" which iterates over all PKGBASEs archweb know about.

We'd look up the following url; https://raw.githubusercontent.com/archlinux/svntogit-packages/packages/389-ds-base/trunk/.NVCHECKER

If this file exists we fetch the pkgname, pkgver and the .NVCHECKER file.

We run nvchecker (how this is done.. not sure!) on this and flag OOD if there is a change.

TODO

• How do we deal with secrets? Do we want to deal with secrets?
• Timer could be once pr day
• Configurable?

Witness logs

https://github.com/google/trillian-examples/tree/master/witness

• kernel.org monitor
• lvfs monitor